Context and Problem

The software shop includes many independent development teams. All teams are required for some sort of security level in their application backed by organizational policy which is in terms of CIA [confidentiality, integrity, and availability] and hard to “translate” to actual security architecture, design and coding requirements. The policy does not go deeper to technology and development style level . There is some sort of security inspection comitee that mostly concentrated on infrasturcutre part. Most apps are not inspected for app security during the dev process resulting in actual development and datacenter policy incompatibilty. This incompatibilty resolved either by compromising infrstructure or by lame app design or poor coding styles. The personel is mostly not experienced and with high turn over. Schedules are very tight often. There are no budget for dedicated application security experts for each team but only for small team of individuals – Security Engineering Team [SET].